Circuit arrangement and method of detecting access violation in a microcontroller

ABSTRACT

To provide an electric or electronic circuit arrangement ( 100 ) as well as a method of detecting and/or identifying and/or recording at least an access violation, particularly at least a memory access violation, in a microcontroller provided particularly for a chip card or smart card, with which the source causing this access violation (referred to as break source) as well as the code address occurring upon this violation can be detected and/or identified and/or recorded when an access violation occurs during the program run, the circuit arrangement comprises  
     at least a memory unit ( 10 );  
     at least an interface unit ( 20 ) assigned to the memory unit ( 10 );  
     at least a processor unit ( 60 ) connected ( 30 ) to the memory unit ( 10 ) particularly via the interface unit ( 20 ) for executing instruction codes, which instruction codes  
     can be requested from the interface unit ( 20 ) by means of at least a request unit ( 40 ),  
     are run up in at least a fetch or request queue in the request unit ( 40 ), and  
     are decodable by means of at least a decoding unit ( 50 ) assigned to the processor unit ( 60 ) for running the fetch or request queue, in which a given category of access violation codes is assignable to each given category of access violations, which access violation code  
     replaces the corresponding instruction code, and  
     comprises data such as information on the address, particularly the code address and/or the type and/or the location and/or the source and/or the instant of the access violation.

[0001] The invention relates to an electric or electronic circuitarrangement and to a method of detecting and/or identifying and/orrecording at least an access violation, particularly at least a memoryaccess violation, in a microcontroller provided particularly for a chipcard or smart card.

[0002] Such a direct detection and/or identification and/or recording ofaccess violations, particularly memory access violations, isconventionally only possible in the case of violations occurring upondata memory access, because these violations have a directly temporalrelation between the run-down of instructions and the access to the datamemory unit or the EEPROM (=Electrically Erasable Programmable Read-OnlyMemory).

[0003] In contrast, there is generally no fixed temporal relationbetween the instant of collecting or requesting the instruction code andthe instant of executing the instruction code in microcontrollers andparticularly in microcontrollers provided for chip cards or smart cards(for example, in the form of SXA, i.e. “smart extended architecture”).In principle, these two processes run independently of each other andare only very loosely interrelated by the fetch or request queuemechanism.

[0004] Access violations, particularly memory access violations are nowconventionally detected by triggering a general break exception process.As already stated hereinbefore, the memory source causing the accessviolation as well as the associated code address of the instructioncausing the access violation cannot be detected in microcontrollers andparticularly in microcontrollers provided for chip cards or smart cards.

[0005] This impossibility of diagnosing or tracing the cause(s) of ageneral break exception has the result that, in the case of a memoryaccess violation, the operating system of the circuit arrangement couldhitherto not detect which memory unit triggered the violation and whichinstruction had exactly led to the violation. Also the circuitarrangements and methods known from the documents DE 37 36 190 μl, U.S.Pat. Nos. 5,155,829, 5,491,827 and 5,920,690 cannot eliminate theseproblems.

[0006] Starting from the conventional arrangements, the presentinvention has for its object to provide an electric or electroniccircuit arrangement and a method of the type described in the openingparagraph with which, in the case of occurrence of an access violationduring the program run, the source causing this access violation(referred to as break source) as well as the code address at which theviolation occurs can be detected and/or identified and/or recorded.

[0007] This object is solved by the characteristic features defined inclaim 1 for an electric or electronic circuit arrangement and by thecharacteristic features defined in claim 9 for a corresponding method.Advantageous embodiments and further embodiments of the presentinvention are defined in the dependent claims.

[0008] The teaching of the present invention is based on speciallydefined and/or specially encoded access violation codes which indicatean access violation and, likewise as the conventional instruction codes,are passed or moved through the fetch or request queue before theseaccess violation codes become effective, for example, in the form of an“exception” and/or a “flag” during execution by means of the processorunit.

[0009] Requesting the instruction code or the access violation code andexecuting the instruction code or the access violation codesubstantially proceed temporally independently of each other in thiscase, i.e. “code memory fetch timing” and “instruction execution timing”are temporally independent of each other.

[0010] Such an access violation, which usually occurs when instructioncodes are fetched or requested, is only effective in accordance with anadvantageous embodiment of the present invention when the codes areactually executed after running through the fetch or request queue. Inother words, this means that a violation does not occur when the fetchor request queue is erased before the code leading to a violation isexecuted.

[0011] With reference to the present invention, those skilled in thefield of electric or electronic circuit techniques will appreciate thefact that the code access violation is detected exactly at the instantof executing the instruction code or the access violation code by theprocessor unit, i.e. it is not detected at the instant when theinstruction code or the access violation code is fetched or requestedfrom the relevant (code) memory unit (=the code-fetch instant). In thisconnection, the present invention provides the particularly valuableadvantage that it can be recognized within the scope of the accessviolation in which (code) memory unit this access violation has takenplace.

[0012] For the access violation codes which are specially defined forthis purpose and indicate an access violation, and which, likewise asconventional instruction codes, are passed through the fetch or requestqueue, unused reserved op-codes are defined or modified in accordancewith a particularly inventive further embodiment, namely a specialop-code for each type of code access violation.

[0013] When an access violation occurs in one of the (memory) interfaceunits in the case of a code-fetch, i.e. in the case of fetching orrequesting the instruction code, it is not the expected (memory) op-codebut the relevant access violation (op-)code of the (memory) interfaceunit that is entered into the fetch or request queue. The correspondingfetch or request sequence content now carries the data and informationabout the addresses, particularly the code addresses, and/or the typeand/or the location and/or the source and/or the instant of the accessviolation.

[0014] In a further preferred embodiment of the present invention, thecircuit arrangement and the method performed with the circuitarrangement are implemented in such a way that, only when the relevantaccess violation (op-)code reaches the decoding unit and is to beexecuted, the decoding unit recognizes that a code access violation hastaken place at this location in the instruction sequence. In this case,at least a corresponding exception is triggered and/or at least acorresponding flag is set.

[0015] In a suitable embodiment of the present invention, at least asource register, particularly a break point-source register comprisesseveral of such flags which can be set in a preferable way by thedecoding unit when the decoding unit reaches one or more accessviolation (op-)codes. In other words, this means that this sourceregister serves for recognizing and/or identifying and/or recording thebreak source or the origin of the violation when this exception isrealized, i.e. when an exception routine is provided.

[0016] In accordance with an advantageous further embodiment of thepresent invention, the access violation (op-)code itself is also clearedor erased when clearing the request unit or when erasing the fetch orrequest queue, which is done in the meantime, i.e. before running theaccess violation code. Due to this disappearance of the access violation(op-)code from the fetch or request queue, taking place between thecode-fetch and the code-run, no exception is triggered and/or no flag isset. In other words, this means that the fetch or request queuemechanism only responds to certain illegal fetch or request processeswhich are also actually decoded and executed.

[0017] In summary, it can be concluded that the circuit arrangement andthe method provide the possibility of an exact diagnosis of one or more(memory) access violations by means of the exception routine of theoperating system in relation to the instruction causing the violationand in relation to the source causing the violation (=break source).

[0018] This is particularly important in systems imposing strictreliability requirements, in which the operating system performs strongcontrol and reliability functions mostly implemented in the (memory)interface units via the application code used in the system, i.e. itchecks whether one or more (memory) access violations have occurred. Inthis case, the actual code address of the instruction, leading to thedisturbance, can be stored at the instant of executing the illegal codeby means of the processor unit. As a result, the operating system iscaused to run an error message and/or eliminate the disturbance as wellas, even more importantly, its cause.

[0019] These and other aspects of the invention are apparent from andwill be elucidated with reference to the embodiments describedhereinafter.

IN THE DRAWING

[0020]FIG. 1 is a principal circuit diagram of an embodiment of acircuit arrangement according to the present invention.

[0021] The electronic circuit arrangement 100, shown in FIG. 1, to beimplemented and integrated in a chip card or smart card is used fordetecting and/or identifying and/or recording at least an accessviolation, particularly at least a memory access violation.

[0022] To this end, the circuit arrangement 100 comprises a memory unit10 which is provided with an interface unit 20. By means of a connection30, the memory unit 10 is connected via the interface unit 20 to aprocessor unit 60 for executing instruction codes. These instructioncodes can be requested via a request unit 40 from the interface unit 20and are run up in a fetch or request queue in the request unit 40. Forrunning the fetch or request queue, these instruction codes aredecodable by means of a decoding unit 50 assigned to the processor unit60.

[0023] A particular detail of the circuit arrangement 100 as well as ofthe method in which the circuit arrangement 100 is used is that eachgiven category of access violation is assignable to a given category ofaccess violation codes. This access violation code replaces thecorresponding instruction code and comprises data such as information onthe address, particularly the code address, and/or the type and/or thelocation and/or the source and/or the instant of the access violation.

[0024] In the circuit arrangement 100 in accordance with the embodimentshown in FIG. 1, the request for the instruction code and the executionof the instruction code take place temporally independent of each other.Consequently, the access violation is not indicated when the instructioncode is requested but is indicated when it is executed. In theindividual case, this may also mean that the access violation code isalso erased in the desired manner when the fetch or request queue iserased before running the access violation code.

[0025] The temporal separation between requesting the instruction codeand executing the instruction code also implies that the accessviolation is detected and/or identified and/or recorded at the instantof executing the access violation code. Only when the access violationcode is executed, an exception routine is generated and a flag is set bythe decoding unit 50.

[0026] In this respect, the exception routine and the flag are madeavailable by a source register 70 assigned to the decoding unit 50, bywhich the address, particularly the code address, the type, thelocation, the source and the instant of the access violation can beidentified.

LIST OF REFERENCE NUMERALS

[0027] 100 circuit arrangement 10 memory unit 20 interface unit 30connection between memory unit 10 and processor unit 60 40 request unit50 decoding unit 60 processor unit 70 source register

1. An electric or electronic circuit arrangement (100) for detectingand/or identifying and/or recording at least an access violation,particularly at least a memory access violation, in a microcontrollerprovided particularly for a chip card or smart card, the circuitarrangement comprising at least a memory unit (10); at least aninterface unit (20) assigned to the memory unit (10); at least aprocessor unit (60) connected (30) to the memory unit (10) particularlyvia the interface unit (20) for executing instruction codes, whichinstruction codes can be requested from the interface unit (20) by meansof at least a request unit (40), are run up in at least a fetch orrequest queue in the request unit (40), and are decodable by means of atleast a decoding unit (50) assigned to the processor unit (60) forrunning the fetch or request queue, in which a given category of accessviolation codes is assignable to each given category of accessviolations, which access violation code replaces the correspondinginstruction code, and comprises data such as information on the address,particularly the code address, and/or the type and/or the locationand/or the source and/or the instant of the access violation.
 2. Acircuit arrangement (100) as claimed in claim 1 characterized in thatthe request for the instruction code and the execution of theinstruction code are temporally independent of each other, particularlyin that the access violation is not indicated when the instruction codeis requested but is indicated when the instruction code is executed. 3.A circuit arrangement (100) as claimed in claim 1 or 2, characterized inthat the access violation code is also erasable when the fetch orrequest queue is erased before running the access violation code.
 4. Acircuit arrangement (100) as claimed in any one of claims 1 to 3,characterized in that the access violation is detectable and/oridentifiable and/or recordable at the instant of executing the accessviolation code.
 5. A circuit arrangement (100) as claimed in any one ofclaims 1 to 4, characterized in that at least an exception routine canbe generated and/or at least a flag can be set by the decoding unit (50)when the access violation code is being executed.
 6. A circuitarrangement (100) as claimed in claim 5, characterized in that theexception routine and/or the flag can be made available by at least asource register (70).
 7. A circuit arrangement (100) as claimed in claim6, characterized in that the source register (70) is assigned to thedecoding unit (50).
 8. A circuit arrangement (100) as claimed in claim 6or 7, characterized in that the address, particularly the code address,and/or the type and/or the location and/or the source and/or the instantof the access violation is identifiable by means of the source register(70).
 9. A method of detecting and/or identifying and/or recording atleast an access violation, particularly at least a memory accessviolation, in a microcontroller provided particularly for a chip card orsmart card, the method comprising the steps of (a) requestinginstruction codes from an interface unit (20) assigned to at least amemory unit (10) by means of at least a request unit (40); (b) runningup the instruction code in at least a fetch or request queue in therequest unit (40); (c) running the fetch or request queue by decodingthe instruction code by means of at least a decoding unit (50) assignedto at least a processor unit (60); (d) executing the instruction code bymeans of the processor unit (60) connected (30) to the memory unit (10)particularly via the interface unit (20); in which a given category ofaccess violation codes is assigned to each given category of accessviolations, replacing the instruction code by the corresponding accessviolation code and transporting data such as information on the address,particularly the code address, and/or the type and/or the locationand/or the source and/or the instant of the access violation by means ofthe access violation code.
 10. A method as claimed in claim 9,characterized in that the instruction code is requested and executedtemporally independently of each other, particularly in that the accessviolation is not indicated when the instruction code is requested but isindicated when the instruction code is executed.
 11. A method as claimedin claim 9 or 10, characterized in that the access violation code isalso erased when the fetch or request queue is erased before running theaccess violation code.
 12. A method as claimed in any one of claims 9 to11, characterized in that the access violation is detected and/oridentified and/or recorded at the instant of executing the accessviolation code.
 13. A method as claimed in any one of claims 9 to 12,characterized in that at least an exception routine is generated and/orat least a flag is set by the decoding unit (50) when the accessviolation code is being executed.
 14. A method as claimed in claim 13,characterized in that the exception routine and/or the flag is madeavailable by at least a source register (70) which is particularlyassignable to the decoding unit (50).
 15. A method as claimed in claim14, characterized in that the address, particularly the code address,and/or the type and/or the location and/or the source and/or the instantof the access violation is identified by the source register (70).